from:"Arpit Jain"

Fwd: FW:

2012-12-27 Thread Arpit Jain

Hi,

I am sending an Access-Request packet using radeapclient without password,**
**

I am giving the following attributes in radeapclient:

User-Name= testuser

EAP-Code = Response

EAP-Id = 210

EAP-Type-Identity =  testuser 

Message-Authenticator = 0x00

** **

** **

But server is sending Access-Reject to the request.

Following are the logs of radeapclient:

** **

User-Name= testuser

EAP-Code = Response

EAP-Id = 210

EAP-Type-Identity = testuser

Message-Authenticator = 0x00

** **

** **

+++ About to send encoded packet:

User-Name = testuser

EAP-Code = Response

EAP-Id = 210

EAP-Type-Identity = testuser

Message-Authenticator = 0x00

+++ EAP decoded packet:

EAP-Message = 0x01d3001604107b44069aa80b67319a536bfd4f8ac713

Message-Authenticator = 0xb4499f3ee54742d9dd8469980720dcf6

State = 0x8a52e3488a81e7f33f4b54075fcd3936

EAP-Id = 211

EAP-Code = Request

EAP-Type-MD5 = 0x107b44069aa80b67319a536bfd4f8ac713

** **

+++ About to send encoded packet:

User-Name = testuser

EAP-Code = Response

EAP-Id = 211

Message-Authenticator = 0x

EAP-Type-MD5 = 0x10d2c45d5e328b2b2db8bd66c7d171635d

State = 0x8a52e3488a81e7f33f4b54075fcd3936

+++ EAP decoded packet:

EAP-Message = 0x04d30004

Message-Authenticator = 0xf6f7e2707ef22ea86a660a4ddce7fb30

EAP-Id = 211

EAP-Code = Failure

** **

On further investigation, i found an example to test eap-md5  in the source
code{ freeradius-2.1.8 }  in src/tests

** **

Example is :

** **

echo 'User-Name = eapmd5'

echo 'Cleartext-Password = md5md5'

echo 'NAS-IP-Address = marajade.sandelman.ottawa.on.ca'

echo 'EAP-Code = Response'

echo 'EAP-Id = 210'

echo 'EAP-Type-Identity = eapsim'

echo 'Message-Authenticator = 0'

echo 'NAS-Port = 0' )

** **

** **

But EAP RFC3579 and RFC2869 states that User-Password should not be part of
a radius packet containing EAP-Message attribute,

** **

 

it written that “An Access-Request that contains either a User-Password or**
**

CHAP-Password or ARAP-Password or one or more EAP-Message attributes

MUST NOT contain more than one type of those four attributes. If it

does not contain any of those four attributes, it SHOULD contain a

Message-Authenticator. If any packet type contains an EAP-Message

attribute it MUST also contain a Message-Authenticator.”

** **

** **

Please let me know if any specific configuration need to be done on the
server so that server sends Access-Accept.

  

** **

Thanks in advance.

Arpit
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[no subject]

2012-12-27 Thread Arpit Jain

Hi,

can we send accounting request using radeapclient ??

  

I am getting the following error:

** **

radeapclient -x 172.168.200.15 acct testing123

User-Name=  testuser 

EAP-Code = Response

EAP-Id = 210

EAP-Type-Identity =  testuser 

Message-Authenticator = 0x00

** **

** **

+++ About to send encoded packet:

User-Name =  testuser 

EAP-Code = Response

EAP-Id = 210

EAP-Type-Identity =  testuser 

Message-Authenticator = 0x00

rlm_eap: EAP-Message not found

+++ EAP decoded packet:

**


Regards,

Arpit
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Generate Access-Challenge from radius server

2012-10-25 Thread Arpit Jain

Hi,

I want to generate Access-Challenge from radius server on Access-Request
packet while using CHAP.
But server is not generating challenge packet for any of the
Access-request, i am using radclient.

Please tell the configurations to be done on the radius server as well as
attributes to be sent in Access-Request through radclient , so that radius
server can send Access-Challenge packet while replying Access-Request
packet.

i am executing following command from radclient.
*radclient -x server-ip-address auth secretkey*
*User-Name = testuser*
*CHAP-Password = testing *
*ctrl+d*


Thanks,
Arpit
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Generate Access-Challenge from radius server

2012-10-25 Thread Arpit Jain

I need a access-challenge from radius server.
What attributes should i send through radclient to generate
access-challenge from radius server.
Is there any specific configuration on radius server to generate the
access-challenge packet.
On 25 Oct 2012 16:12, Alan DeKok al...@deployingradius.com wrote:

 Arpit Jain wrote:
  I want to generate Access-Challenge from radius server on Access-Request
  packet while using CHAP.

   That's not how CHAP works.

  But server is not generating challenge packet for any of the
  Access-request, i am using radclient.

   Because CHAP doesn't send Access-Challenge.

  Please tell the configurations to be done on the radius server as well
  as attributes to be sent in Access-Request through radclient , so that
  radius server can send Access-Challenge packet while replying
  Access-Request packet.

   There is none.  What you want to do is not part of standard RADIUS.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compliance testing of Free Radius Client

2012-10-17 Thread Arpit Jain

Hi All,


Please help!!!


Query #1:

*I want to perform RFC compliance testing of FreeRadius client (not server)
available with freeradius package.*

In other words, i want to perform compliance testing on radclient and
radeapclient binaries available with freeradius package.


On investigation, i found that the manpage of radclient states:

radclient is a radius client program. It can send arbitrary radius packets
to a radius server, then shows the reply.

It can be used to test changes you made in the configuration of the radius
server, or it can be used to monitor if a radius server is up.



Does it mean that freeradius client is just a dummy client and there is no
point in performing compliance testing on it?



I tried to run the “radclient” binary. I executed the following command for
this

*./radclient server-ip auth secret-key*

Once the above command is executed, the control waits for the attributes
entry.

After the attributes are written, radclient sends radius request packet and
receives response from the server and then it exits.



To again send any authentication or authorization request, radclient binary
needs to be executed again.

As per my understanding, the binary should not have exited.

As radius client sends the Access-request itself once it receives a request
for any service from the user.

Also, if the server does not respond, radius client shall send the request
to an alternate server.

This means that the radius client can handle the user requests at runtime
also. So it should not exit.



*Please let me know if I need some extra configuration to achieve the above
functionality.*


Query #2:

In RFC 2131, it is mentioned that there are three entities in any
freeradius setup: USER, RADIUS CLIENT, RADIUS SERVER.



Does freeradius package provide a separate binary/module for USER
application?

If not, can we consider RADIUS CLIENT as our USER as well?



Thanks,

Arpit
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: FW:

[no subject]

Generate Access-Challenge from radius server

Re: Generate Access-Challenge from radius server

Compliance testing of Free Radius Client

5 matches

Site Navigation

Mail list logo

Footer information